TOOLS AND TECHNIQUES FOR RISK QUANTIFICATION

 Tools and Techniques for Risk Quantification
Following are some of the tools and techniques that are available to assess and evaluate risks:

(a) Judgment and intuition: In many situations, the management and auditors have to use their judgment and intuition for risk assessment. This mainly depends on the personal and professional experience of the management and auditors and their understanding of the business, system and its environment. Together with it is required a systematic education and on-going professional updating.

(b) The Delphi approach: The Delphi technique is defined as: 'a method for structuring a group communication process so that the process is effective in allowing a group of individuals as a whole to deal with a complex problem'. It was originally developed as a technique for the US Department of Defence. The Delphi Technique was first used by the Rand Corporation for obtaining a consensus opinion. Here, a panel of experts is appointed. Each expert gives his/her opinion in a written and independent manner. They enlist the estimate of the cost, benefits and the reasons why a particular system should be chosen, the risks and the exposures of the system. These estimates are then compiled together. The estimates within a pre-decided acceptable range are taken. The process may be repeated four times for revising the estimates falling beyond the range. Then a curve is drawn taking all the estimates as points on the graph. The median is drawn and this is the consensus opinion.

(c) Scoring: In the Scoring approach, the risks in the business, system and their respective exposures are listed. Weights are then assigned to the risk and to the exposures depending on the severity, impact on occurrence, and costs involved. The product of the risk weight with the exposure weight of every characteristic gives us the weighted score. The sum of these weighted score gives us the risk and exposure score of the system. System risk and exposure is then ranked according to the scores obtained.

(d) Quantitative techniques: These techniques involve the calculation of an annual loss exposure value based on the probability of the event and the exposure in terms of estimated costs. This helps the organization to select cost effective solutions. It is the assessment of potential damage in the event of occurrence of unfavorable events, keeping in mind how often such an event may occur.

(e) Qualitative techniques: These techniques are most widely used approaches to risk analysis. Probability data is not required and only estimated potential loss is used. Most qualitative risk analysis methodologies use a number of interrelated elements:

 Threats: These are things that can go wrong or that can 'attack' the system. Examples might include fire or fraud. Threats are ever present for every system.

 Vulnerabilities: These make a system more prone to attack by a threat or make an attack more likely to have some success or impact. For example, for fire, vulnerability would be the presence of inflammable materials (e.g. Paper).

Controls: These are the countermeasures for vulnerabilities. They are of four types:

(i) Deterrent controls reduce the likelihood of a deliberate attack.

(ii) Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact.

(iii) Corrective controls reduce the effect of an attack.

(iv) Detective controls discover attacks and trigger preventative or corrective controls.